heroui logo

Attempt to Delete an Okta Network Zone

Elastic Detection Rules

View Source
Summary
This rule detects attempts to delete an Okta network zone, an action that can weaken an organization's security settings. Okta network zones govern access based on IPs or geolocations, and unauthorized deletions may signal an adversarial attempt to undermine security controls. When a deletion occurs, several fields should be examined: the actor's ID, the action taken, the details of the network zone affected, and the timing of the event. Investigations should confirm the legitimacy of the actor by checking their usual behavior, and administrators should be consulted to determine if there are any scheduled changes that justify the deletion. In the event of confirmed unauthorized access, prompt action is recommended, including securing the actor's account and reinstating the affected network zone. Effective monitoring and employee training are essential to prevent future incidents.
Categories
  • Identity Management
  • Cloud
  • Network
Data Sources
  • User Account
  • Application Log
  • Cloud Service
ATT&CK Techniques
  • T1562
  • T1562.007
Created: 2020-11-06